UNC6426 used stolen npm keys to gain AWS administrator access in under 72 hours

A threat actor known as UNC6426 used keys stolen after an August 2025 supply chain compromise of the nx npm package to breach a customers AWS environment and escalate to full administrator permissions in less than 72 hours, resulting in data exfiltration and destruction of production resources.

KEY FACTS

• Incident supply chain compromise of the nx npm package led to credential theft
• Actor UNC6426
• Time to escalation under 72 hours to full AWS administrator permissions
• Impact S3 data exfiltration, EC2 and RDS termination, internal repositories made public

The initial compromise in August 2025 used a vulnerable GitHub pull_request_target workflow to push trojanized nx packages to npm. Those packages included a postinstall script that launched a JavaScript credential stealer named QUIETVAULT to harvest environment variables, system information, and tokens from developer endpoints.

Attackers captured a developer GitHub token when QUIETVAULT executed. They then performed reconnaissance inside the victims GitHub environment and used a legitimate open source tool named Nord Stream to extract secrets from CI systems and leak credentials for a GitHub service account.

In a Cloud Threat Horizons Report by Google, the company said the actor abused GitHub-to-AWS OpenID Connect trust to create a new administrator role and attach the AdministratorAccess policy, enabling escalation to full administrator permissions in less than 72 hours.

With administrator roles in place, the actor enumerated and accessed S3 objects, exfiltrated files, terminated production EC2 and RDS instances, decrypted application keys, and renamed internal GitHub repositories to make them public. Recommended mitigations include using package managers that block postinstall scripts or sandbox them, enforcing least privilege for CI/CD service accounts and OIDC roles, issuing fine grained short lived personal access tokens, removing standing privileges for high risk actions, and monitoring for anomalous IAM activity and Shadow AI risks.

WHY IT MATTERS

The incident demonstrates how a developer tool chain compromise can rapidly lead to full cloud takeover and severe operational and data loss. Reducing trust in build artifacts and enforcing least privilege in CI and cloud roles can limit the blast radius of similar attacks.